identity management internet2 fall meeting jack suess, cio, umbc jack/talks/idman.htm
TRANSCRIPT
Identity Management
Internet2 Fall Meeting
Jack Suess, CIO, UMBChttp://userpages.umbc.edu/~jack/talks/idman.htm
2
Identity Management Definition
What do we mean by Identity Management?• CSU definition - An identity management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information.
3
Let’s Analyze the Definition
Infrastructure - software and hardware
Collection - not just technology
Technology and policy - Policy is as important as technology
Networked computer systems - implies distributed technology and communication over the network
Access - Who am I
Authorized - What can I do
Protecting - limiting access and protecting information
4
Infrastructure for Identity
ManagementCommon elements• System of record (SOR) - system for identifying
university membership (e.g. SIS, HR, Alumni)• Registry - aggregation point where key data elements
from SOR are integrated• Directory - LDAP service that organizes registry
information and responds to requests• Authenticator - service that authenticates (e.g.
Kerberos)• WebISO - web-based authentication• Groups - university roles• Services - application services that utilize IdM• Policy - definitions and structure
5
UMBC Directory Architecture
Public LDAP(Whitepages)
(SunOne DS5)
Oracle DB
LDAPDirectory
(iPlanet 4.1x)
AuthenticationService(MIT K5)
MetadirectoryProcesses
(perl)SIS
(HP MPE)
HRSystem
User Input DirectoryManagmentApplications
Replica Replica
SISMirror
OutgoingConnectors
(perl)
To Consumers
Radius,WebAuth,PeopleSoft,etc.
UNIX Systems,Win2K Labs,AFS
Email Clients
Email Routing
6
Authentication API University Addressbook
OnCourseActive
DirectorySteel Web PgsPplSft Insite
Shakes/Jewels
----------------- Applications and Services ------------------
Modems
Foundation
Other University AffiliationsContinuing
StudiesOthers
University People Information
Eclipse
Alumni
MY IU UIS Appl
Virtual Private Network (VPN)
ERAFIS
DemographicData
HR Data Others
Library Others
Person
al Accou
nt C
reation &
Ad
min
istration (S
elf Service)
Authorization APIInformation Extract
(LDAP)
Extract/Load Process Extract/Load Process GDS
EnterpriseDirectory/
InformationStore
PIN
TokenPassword
Authentication
SIDEMPID
ISN
MATHMajor
C201
UITS
IUK
IU.EDUE-mailNameSpace
GradesClerk
AcctManager
HRRep
Advisor
KerberosSafeword
AS Server
Core Services
Authorization& Roles DB
Other DirectoriesADS, Departmental
Accou
nts S
taffL
ocal/ Cam
pu
s Su
pp
ort P
roviders
Accou
nt/In
formation
Mgt &
Main
t
7
Technology and Policy
Policy Issues• Rules for membership in your community. Who is an active student, who is a faculty member, who is an alumni?
• Who is eligible for an account? Under what circumstances?
• What services are they allowed to access?• Who can sponsor affiliate members?• How long do you remain a member of the community?
• What about guests or the public?
8
Authentication and Authorization
Authentication - Who am I?
• Shared secret -- password?• Secret key - PKI• Biometrics/other?
Authorization - What am I allowed to do or access?
• Affinity groups are defined and populated. Roles are based on a combination of affinities.
Identity Management system must answer both questions.
9
Security and Availability
An Identity Management (IdM) system is a the heart of defining who may have accounts on different systems
The IdM is exposed to the Internet and must be hardened and protected as a critical IT resource
Key Issues:• Failover• Capacity to meet peak loads• Capacity to meet critical service needs
Replication and distribution are key
10
Beginning an Identity Management
ProjectExecutive sponsorship is critical. Develop a business case for the project and treat it like any other development project
The project will have tremendous implications inside IT on how you provide services, make certain you get everyone on board.
The project requires access to data. Get agreements in place from data stewards before beginning project.
Don’t scrimp on hardware, focus on 99.999 uptime
11
Questions to Answer
What follows are some questions you want to have answered prior to starting your Identity Management project
12
How do you define who is eligible
for different services?• Obvious: staff, faculty, students
• Less obvious: –Alumni, supporters?–Parents –Sponsored or affiliate ID’s–Transient e.g. meetings and conferences–Former employees–Research partners–Affiliates: auxiliaries, credit union, teachers
13
Eligibility -- Thorny Issues
• Intermittent roles – persistent ID’s?–Lecturers, seasonal employees–students
• Multiple roles – change roles, keep ID’s?–Student workers–Staff students
• Multi-campus issues- common id across system?
• Does everyone need to be in your IDM? “Frontier-class” service
14
Eligibility -- Create Policy First
Indiana
•Policy defines who can have and sponsor accounts.
•Accounts Management System will implement policy in software.
15
What were the challenges in creating
a single namespace?Once you define who is eligible to be in your IM you must create a person registry from multipe SOR.
For each person in the registry you must define an account name. Dealing with conflicts is a political challenge.
Get agreement on ground rules prior to starting the project.
Provide flexibility. People care more about their email address than they do their username!
When creating new authentication service, require strong passwords!
16
Indiana University Name Space
•Had to work across 8 campuses plus 4 major data centers
•Ground work in 1988 with "username format summit"*Namespace consolidation project began "in earnest" in 1997
•Required high-level leverage (University CIO)
•Consisted of iterative generation and review of name lists of various naming organizations
•Person who had name first got to keep it
•Took 3 years to complete
17
•Namespace
•Person who had an identifier the longest got to keep it
•Took over 3 years to complete
•In 2002, moved namespace to enterprise LDAP directory
•UMBC created common namespace in 1995 when we merged academic and administrative computing
•In 2002 we allowed users to select account name and promote that they create custom email aliases (up to 3). Giving custom email aliases lessens namespace complaints
18
Distribution of Credentials
•Identity Management usually necessitates automated distribution of credentials
•Credentials are managed through an account management system
•Faculty/staff/students initiate account process online.
•Account holders (faculty/staff) may be authorized to sponsor affiliates. Affiliate accounts are linked to the sponsor.
19
Will authentication strength vary by
application type?•Consider providing alternative authentication methods and allow services to specify level of authentication and timeout period
•We use two levels and we are looking at a third level { id : pin ; username:password }
•We would like a third level that we use in addition to username:password
•WebISO defines password level, timeout duration, attributes released, etc.
20
How do you handle authorization to
services?Problem: our legacy services assumed that authentication implies authorization.
Remedy: Use IdM to define affiliations and control access by group membership
Strategy: Create 15-20 automatically maintained major affiliation types (example: faculty, staff, student, affiliate and several gradations of each) to define roles
Challenge: It isn’t easy to keep this maintained and not all services can use groups
21
How do you insure privacy and
accountability?•Rapidly evolving area -- GLB,HIPAA, CA SB-1386, etc.
•Directory services allows services to be delegated more broadly -- make sure staff that get access are trained in privacy regulations
•Review logging procedures and log retention
•Limit who has direct access to the directory and who can update the directory
•IdM can serve role as translator and lessen use of private data such as SSN
•One consequence of directories is that it can facilitate spamming, limit trolling
22
Revocation of Credentials?
•Worked with IT Steering Committee and faculty senate 18 months on account deletion plans.
•Developed state diagram, accounts transition through these states. Time in each state is determined by UMBCperson affiliation
•Requires ability to delegate authority on accounts to sponsoring entity. They can sponsor anyone but take responsibility for those they sponsor.
•Runs nightly based on last effective date
•Highly political - everyone wants free access
25
Future Plans
•Expanding person affinities and defining the group membership criteria
•Implement Shibboleth with our Web-ISO
•Implement user-selectable privacy filters for user controlled release of information
•Expand the API for our using our WebISO
26
Questions
Jack Suess - [email protected]
Online Slideshttp://userpages.umbc.edu/~jack/talks/idman.htm
Resources:
http://middleware.internet2.edu/
http://www.nmi-edit.org/